UK’s Parliamentary Digital Service Automates Active Directory User Management

How would you like to manage Active Directory user management and security for one of the world’s highest-profile government bodies?

The Parliamentary Digital Service (PDS) supports the UK’s House of Commons and the House of Lords, plus all Parliament staff members. It provides IT services, manages the network, develops applications, runs the Parliament.uk website and social media, and anticipates technology needs down the road.

All while keeping Parliament safe from cybercriminals.

“The security threats are non-stop,” says Cherry O’Donnell, head of identity and access management at PDS. “We are a major target, making network security a top focus.”

Handling JMLs and PAM manually took too much time

PDS must deal not only with the volume of changes — 100 to 200 users join or leave the network each month — but also with the variety of Active Directory (AD) account types. They manage the accounts of Members of Parliament (MPs), their personnel, the Lords, their employees and more than 2,000 permanent parliamentary staff. They also manage AD groups for new, current and former users in Parliament and for the privileged accounts of employees like administrators, who need to access hardware.

As in any large organization, Parliament’s users are continually joining, moving and leaving (JML), which makes for a lot of Active Directory user management. PDS had manual update processes in place, based on email requests for arriving, changing and departing users.

PDS also handled privileged access management (PAM) manually. High-privilege users had unrestricted permission to execute tasks like patching and could perform them at any time. That was a far cry from the Zero Trust model PDS aspired to.

PDS saw that executing so many changes without automation exposed them to the risk of human error. They worried that manual processes would eventually create an opportunity for an outsider to gain unauthorized access to the network.

Active Directory user management and security with Active Roles

PDS wanted to bring their existing One Identity Active Roles installation up to date, including automation and the capacity for hybrid AD.

Since engaging One Identity for the project, PSD saves hours a month on access management, because JML management in AD is now fully automated. That allows the identity and access management team to recoup precious time.

“The hours we save allow us to press ahead with initiatives such as re-platforming for Active Roles 7.4,” says O’Donnell. “Saving hours of time means we can now do important work like threat analysis. I’m surprised we found time to get things done in the past.” There are no longer emails flying around with requests for account access when someone new begins, or for account termination when someone leaves.

Additionally, PDS can now enforce automatic time limits on server access for tasks like patching. To accommodate remote work, they’ve begun developing a web form powered by Active Roles that adds participants to AD groups for Zoom meetings, then automatically removes them afterwards. “There is no risk of anyone forgetting to do it,” says O’Donnell.

PDS is moving toward AD account management from the cloud using Active Roles 7.4. The time they save through automation frees them up to work on migration to a hybrid cloud model.

“We’ll be able to create users in the cloud and give them access to SharePoint and One Drive all through a single workflow,” says O’Donnell. “Technology gives us new opportunities while creating new risks at the same time. One Identity provides the tools to make the most of the good while protecting us from the bad. It’s peace of mind out of the box.”